Masashi Crete-Nishihata

Twitter Envelope PGP Key


Are the Kids Alright?: Digital Risks to Minors from South Korea’s Smart Sheriff Application

This report describes the results of two independent security audits of Smart Sheriff, one by researchers who collaborated at the 2015 Citizen Lab Summer Institute (held at the Munk School of Global Affairs, University of Toronto), and the other by the auditing firm Cure53. The combined audits identified twenty-six security vulnerabilities in recent versions of Smart Sheriff (versions 1.7.5 and under). These vulnerabilities could be leveraged by a malicious actor to take control of nearly all Smart Sheriff accounts and disrupt service operations.

Every Rose Has Its Thorn: Censorship and Surveillance on Social Video Platforms in China

In this paper presented at USENIX FOCI 2015 we use reverse engineering to provide a view into how keyword censorship operates on four popular social video platforms in China: YY, 9158, Sina Show, and GuaGua. We also find keyword surveillance capabilities on YY. Our findings show inconsistencies in the implementation of censorship and the keyword lists used to trigger censorship events between the platforms we analyzed. We reveal a range of targeted content including criticism of the government and collective action. These results provide evidence that there is no monolithic set of rules that govern how information controls are implemented in China.

A Chatty Squirrel: Privacy and Security Issues with UC Browser

UC Browser is the most popular mobile web browser in China and India, boasting over 500 million users. This report provides a detailed analysis of how UC Browser manages and transmits user data, particularly private data, during its operation. Our research was prompted by revelations in a document leaked by Edward Snowden on which the Canadian Broadcasting Corporation (CBC) was preparing a story.


UC浏览器是一种移动浏览器,它目前拥有超过5亿的注册用户,是中国和印度最受欢迎的手机浏览器。在《啰嗦的松鼠:UC浏览器的隐私与安全问题》这一报告中,公民实验室(Citizen Lab)发现中文和英文安卓版UC浏览器中存在多个隐私及安全漏洞, 并讨论了它们的重要性。

Tibetan Uprising Day Malware Attacks

Hundreds of members of the Tibetan community are being targeted by email-based malware attacks that leverage the March 10 Tibetan Uprising anniversary as a theme. This report analyzes two March 10 related attacks. One using a new malware family we call MsAttacker , and another using the ShadowNet malware family and command and control infrastructure related to previous campaigns that targeted the Tibetan community.